The EUR RVSM has to demonstrate to the international aviation commu- nity that the Target Level of Safety (TLS) set out by ICAO [ICAO, 2002] for the vertical collision risk will not be exceeded in the European RVSM Airspace.
6.3.1 Safety Policy
The EUR RVSM Safety Policy [EUROCONTROL, 2000] has been developed to meet the requirements of ICAO standard. The Safety Policy is described through a set of safety statements based on which the EUR RVSM safety objectives are defined. It is the function of these objectives to ensure that the safety statements have been complied with.
Figure 6.2 shows the main concepts involved in the Safety Policy in the form of a metamodel for a model representing the Safety Policy.
6.3.2 Functional Hazard Assessment (FHA)
A detailed FHA is conducted to determine how safe the system would be by specifying the minimum requirements to be achieved by the system re- lated to the identified hazards –called safety objectives in the context of FHA [EUROCONTROL, 2001b]. The identification is carried out in struc- tured brainstorm sessions. For each session a number of scenarios were developed. The aim of scenarios is to ensure that all RVSM-related aspects of flight and air traffic control operations are critically examined.
Figure 6.2: Concepts and their relationships in the RVSM Safety Policy
Once all possible hazards have been identified, each of them is being as- sessed to determine the consequences on operation and safety. After as- sessment of operational and safety consequences, the identified hazards are assessed in regard to severity and probability. The safety objective for each hazard is derived from the severity classification assigned to the hazard. Based on the specific severity classification, the safety objective specifies the maximum tolerable probability of the failure condition occurrence; that is “how safe the system needs to be”.
Additionally, the mitigation to reduce the effect, and/or probability of occurrence, of each hazard is identified. Then (based on the mitigation), the identified hazards are grouped in two categories: safety-critical (not tolerable) and not safety-critical. Safety-critical hazards are those that do not achieve the related safety objective after RVSM mitigation (the identified mitigation is not sufficient).
Figure 6.3 shows the main concepts in the FHA and the relationships between them (the metamodel of the FHA model).
6.3.3 Preliminary System Safety Assessment (PSSA)
Throughout PSSA, further development is made in the context of safety and safety requirements are defined [EUROCONTROL, 2001c]. Initially, the safety objectives, which express seven attributes of the system, are translated into High-level Safety Requirements which are allocated to different RVSM
system elementsand subsequently broken down into safety requirements for
them. System attributes include Function, Accuracy, Capacity, Overload Tolerance, Robustness, Reliability, Maintainability.
Additionally, the identified hazards are allocated to the system elements in order to ensure that they are appropriately addressed and their risk be-
Figure 6.3: Concepts and their relationships in the FHA
ing managed. Doing so, safety integrity requirements are defined which are corresponding to the safety objectives for identified hazards in the FHA. Then, these requirements, with an indication of what (if any) mitigation is available, are allocated to already defined safety requirements and, conse- quently, to the related system element(s). Therefore, if any mitigation is available, an explicit (functional and detailed) safety requirement is derived for the relevant system element(s), in order to specify clearly the mitigation required. Otherwise, the safety integrity requirement from the FHA is di- rectly allocated to the relevant system element(s), in order to limit the risk to a tolerable level.
Safety requirements (all types) also specify how they are realised and
which actions are required for the individual stakeholders participating in EUR RVSM. Actions are particularly related to (affect) the tasks carried out under the Sub Programme P2. For example, they require specific training for the aircrew or ATC staff, particular requirements and specification for ATC systems, or specific ATC procedures to follow.
between them (the metamodel of the model of the PSSA).
Figure 6.4: Concepts and their relationships in the PSSA
6.3.4 System Safety Assessment (SSA)
In SSA, the target system is checked against the FHA derived safety ob- jectives or more accurately the PSSA derived safety requirements. The Pre-Implementation Safety Case (PISC) [EUROCONTROL, 2001c] estab- lishes all the arguments and evidence necessary to demonstrate that the implementation of RVSM will be tolerably safe when assessed against the requirements of the EUR RVSM Safety Policy. The principal safety argu- ments are that
– the safety requirements fully address all the functionality, performance and integrity requirements necessary to ensure that the safety risks under RVSM will be tolerable.
– the RVSM Concept fully satisfy the RVSM safety requirements. – the Implementation of the RVSM Concept fully satisfies the RVSM
– That the Switch-Over from the current vertical separation minima to the RVSM will not adversely affect the safety of the on-going air traffic operations.
Nevertheless, the evidence of the successful implementation of RVSM, to ensure that the agreed safety objectives are met, depends on the satisfactory completion of the actions specified by safety requirements in other areas.
Accordingly and considering the above mentioned safety arguments, it is required to be able to link safety requirements to other parts of the sys- tem and deliverables to be able to demonstrate that they are satisfied. For examples, if an action results in a specific requirement in one of the sup- porting systems, it has to be shown that the requirement is implemented in the system, for example by requirements traceability in the development of that system. In case an action requires a specific procedure or training, there should be correspondent parts (procedure or training material) in the ATC Manual or ATC training syllabus. These relationships have to be de- fined and available to be able to establish valid safety arguments. Therefore, traceability is essential to be able to comprehensively demonstrate that the EUR RVSM Programme is operationally safe.